使用 Azure AD Connect 同步排查对象同步问题Troubleshoot object synchronization with Azure AD Connect sync

本文按步骤介绍了如何使用故障排除任务来排查对象同步问题。This article provides steps for troubleshooting issues with object synchronization by using the troubleshooting task.

故障排除任务Troubleshooting task

对于 1.1.749.0 或更高版本的 Azure AD Connect 部署,请使用向导中的故障排除任务来排查对象同步问题。For Azure AD Connect deployment with version 1.1.749.0 or higher, use the troubleshooting task in the wizard to troubleshoot object synchronization issues. 对于早期版本,请手动进行故障排除,如此文所述。For earlier versions, please troubleshoot manually as described here.

在向导中运行故障排除任务Run the troubleshooting task in the wizard

若要在向导中运行故障排除任务,请执行以下步骤:To run the troubleshooting task in the wizard, perform the following steps:

  1. 使用“以管理员身份运行”选项,在 Azure AD Connect 服务器上打开一个新的 Windows PowerShell 会话。Open a new Windows PowerShell session on your Azure AD Connect server with the Run as Administrator option.
  2. 运行 Set-ExecutionPolicy RemoteSignedSet-ExecutionPolicy UnrestrictedRun Set-ExecutionPolicy RemoteSigned or Set-ExecutionPolicy Unrestricted.
  3. 启动 Azure AD Connect 向导。Start the Azure AD Connect wizard.
  4. 导航到“其他任务”页面,选择“故障排除”,然后单击“下一步”。Navigate to the Additional Tasks page, select Troubleshoot, and click Next.
  5. 在“故障排除”页上,单击“启动”以在 PowerShell 中启动故障排除菜单。On the Troubleshooting page, click Launch to start the troubleshooting menu in PowerShell.
  6. 在主菜单中,选择“排查对象同步问题”。In the main menu, select Troubleshoot Object Synchronization. 排查对象同步问题Troubleshoot object synchronization

排查输入参数问题Troubleshooting Input Parameters

以下输入参数是故障排除任务所需的:The following input parameters are needed by the troubleshooting task:

  1. 对象可分辨名称 – 这是需要进行故障排除的对象的可分辨名称Object Distinguished Name - This is the distinguished name of the object that needs troubleshooting
  2. AD 连接器名称 – 这是上述对象所驻留的 AD 林的名称。AD Connector Name - This is the name of the AD forest where the above object resides.
  3. Azure AD 租户全局管理员凭据全局管理员凭据Azure AD tenant global administrator credentials global administrator credentials

了解故障排除任务的结果Understand the results of the troubleshooting task

此故障排除任务执行以下检查:The troubleshooting task performs the following checks:

  1. 在对象已同步到 Azure Active Directory 的情况下检测 UPN 不匹配的情况Detect UPN mismatch if the object is synced to Azure Active Directory
  2. 检查对象是否已因域筛选而被筛选出来Check if object is filtered due to domain filtering
  3. 检查对象是否已因 OU 筛选而被筛选出来Check if object is filtered due to OU filtering
  4. 检查对象同步是否由于链接的邮箱而被阻止Check if object synchronization is blocked due to a linked mailbox

本部分的剩余内容说明了此任务返回的具体结果。The rest of this section describes specific results that are returned by the task. 在每个示例中,此任务都提供了分析以及解决问题所需的建议操作。In each case, the task provides an analysis followed by recommended actions to resolve the issue.

在对象已同步到 Azure Active Directory 的情况下检测 UPN 不匹配的情况Detect UPN mismatch if object is synced to Azure Active Directory

使用 Azure AD 租户时,不验证 UPN 后缀UPN Suffix is NOT verified with Azure AD Tenant

如果没有通过 Azure AD 租户对 UserPrincipalName (UPN)/备用登录 ID 后缀进行验证,Azure Active Directory 会将 UPN 后缀替换为默认的域名“partner.onmschina.cn”。When UserPrincipalName (UPN)/Alternate Login ID suffix is not verified with the Azure AD Tenant, then Azure Active Directory replaces the UPN suffixes with the default domain name "partner.onmschina.cn".

Azure AD 替换 UPN

Azure AD 租户 DirSync 功能“SynchronizeUpnForManagedUsers”已禁用Azure AD Tenant DirSync Feature ‘SynchronizeUpnForManagedUsers’ is disabled

对于使用托管身份验证的许可用户帐户,禁用 Azure AD 租户 DirSync 功能“SynchronizeUpnForManagedUsers”后,Azure Active Directory 不允许将更新同步到 UserPrincipalName/备用登录 ID。When the Azure AD Tenant DirSync Feature ‘SynchronizeUpnForManagedUsers’ is disabled, Azure Active Directory does not allow synchronization updates to UserPrincipalName/Alternate Login ID for licensed user accounts with managed authentication.

SynchronizeUpnForManagedUsers

对象已因域筛选而被筛选出来Object is filtered due to domain filtering

未将域配置为同步Domain is not configured to sync

由于未配置域,对象未在范围内。Object is out of scope due to domain not being configured. 在下面的示例中,对象不在范围内,因为其所属的域已从同步中筛选出来。In the example below, the object is out of sync scope as the domain that it belongs to is filtered from synchronization.

未将域配置为同步

域已配置为同步,但缺少运行配置文件/运行步骤Domain is configured to sync but is missing run profiles/run steps

对象不在范围内,因为域缺少运行配置文件/运行步骤。Object is out of scope as the domain is missing run profiles/run steps. 在下面的示例中,对象不在范围内,因为其所属的域缺少“完全导入”运行配置文件的运行步骤。In the example below, the object is out of sync scope as the domain that it belongs to is missing run steps for the Full Import run profile. 缺少运行配置文件missing run profiles

对象已因 OU 筛选而被筛选出来Object is filtered due to OU filtering

对象因 OU 筛选配置而不在同步范围内。The object is out of sync scope due to OU filtering configuration. 在下面的示例中,对象属于 OU=NoSync,DC=bvtadwbackdc,DC=com。In the example below, the object belongs to OU=NoSync,DC=bvtadwbackdc,DC=com. 此 OU 不包括在同步范围内。This OU is not included in sync scope.

OU

链接邮箱问题Linked Mailbox issue

链接邮箱假设与位于另一个受信任帐户林中的外部主帐户相关联。A linked mailbox is supposed to be associated with an external master account located in another trusted account forest. 如果没有此类外部主帐户,则 Azure AD Connect 不会将 Exchange 林中对应于链接邮箱的用户帐户与 Azure AD 租户同步。If there is no such external master account, then Azure AD Connect will not synchronize the user account corresponds to the linked mailbox in the Exchange forest to the Azure AD tenant.
链接邮箱Linked Mailbox

HTML 报表HTML Report

除了分析对象,故障排除任务还会生成 HTML 报表,其中包含有关该对象的一切已知内容。In addition to analyzing the object, the troubleshooting task also generates an HTML report that has everything known about the object. 此 HTML 报表可以与支持团队共享,以便根据需要进行进一步的故障排除。This HTML report can be shared with support team to do further troubleshooting, if needed.

HTML 报表

后续步骤Next steps

了解有关将本地标识与 Azure Active Directory 集成的详细信息。Learn more about Integrating your on-premises identities with Azure Active Directory.